Use a password manager
It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.
Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.
It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.
Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.
Best Password Manager for Business, Enterprise & Personal | Bitwarden | Bitwarden
Bitwarden is the most trusted password manager for passwords and passkeys at home or at work, on any browser or device. Start with a free trial.Bitwarden
like this
shortwavesurfer
in reply to The 8232 Project • • •root
in reply to The 8232 Project • • •In my experience preaching this same thing to many users at work and just personal friends, they won't change their ways. Because "omg not another password to remember" and "that's too much work to login just to get a password".
I've just stopped trying to educate people at this point. That's on them when their info gets leaked or accounts drained.
zephorah
in reply to root • • •Jessica
in reply to zephorah • • •subtext
in reply to Jessica • • •Bitwarden Password Manager Pricing & Plans | Bitwarden
Bitwardenmorrowind
in reply to Jessica • • •☂️-
in reply to Jessica • • •Jessica
in reply to ☂️- • • •☂️-
in reply to Jessica • • •Jessica
in reply to ☂️- • • •It works as long as you can get at the authentication key that generates the one time codes. Usually you scan a QR code, but sometimes you have to paste it in as a string.
How you get that private authentication key can vary by service. For example, you can install steam mobile on an android emulator and use an open source program to extract the private authentication key.
root
in reply to zephorah • • •JustEnoughDucks
in reply to root • • •I am fighting this with people at work.
No, it is not "one more password to remember"
You have 2 passwords: your laptop and your Bitwarden. Forget everything else. Don't care. Use a passphrase if you have troubles with passwords.
I even generated a sample password from bitwarden and drew them a picture of how to remember it lol
Still about 10% of people forgot their password in the first 2 months.
Kit
in reply to The 8232 Project • • •The 8232 Project
in reply to Kit • • •like this
subignition e giantpaper like this.
Kit
in reply to The 8232 Project • • •Steve
in reply to Kit • • •like this
giantpaper likes this.
Anomaly ☑️
in reply to The 8232 Project • • •T (they/she)
in reply to The 8232 Project • • •like this
Anomaly ☑️ likes this.
MentalEdge
in reply to T (they/she) • • •Do you mean OTP?
I self-host vaultwarden, and I have that. I think it's a paid feature if not self-hosting?
T (they/she)
in reply to MentalEdge • • •Oh yes I meant OTP, typo of my part.
Yes, it is paid.
vovo
Unknown parent • • •AbidanYre
in reply to The 8232 Project • • •To be fair, that is super fucking annoying. I hate when I tell bitwarden to save my password only to have the site come back with it being too long and only some special characters are allowed.
like this
subignition e giantpaper like this.
The 8232 Project
in reply to AbidanYre • • •Clarification: They reuse the same password (such as "Password") and whenever they create an account they have to add special characters (like "Password1&" if numbers and #@&%$ were required) and when they login they forget which special characters were required by that service, meaning they don't know which special characters to append to their generic password to successfully login. The solution was to screenshot every password requirement for every service and still try to remember which characters were used.
But yes, there is an unrelated frustration where password requirements aren't presented upfront.
like this
giantpaper likes this.
14th_cylon
in reply to The 8232 Project • • •And pinnacle of this frustration is "password too long"... Talk about security
like this
giantpaper likes this.
Eager Eagle
in reply to 14th_cylon • • •which doesn't make sense as a requirement, as the passwords themselves are not even (supposed to be) stored
limits of 128+ characters? Sure.
Limits of 30, 20, 18, or 16 as I've seen in many places? I suddenly don't trust your website.
like this
giantpaper likes this.
The 8232 Project
in reply to Eager Eagle • • •giantpaper likes this.
ZeDoTelhado
in reply to Eager Eagle • • •floofloof
in reply to AbidanYre • • •KickMeElmo
in reply to floofloof • • •fuckwit_mcbumcrumble
in reply to floofloof • • •Preflight_Tomato
in reply to floofloof • • •viking
in reply to Preflight_Tomato • • •My webhost allows passwords of all length and complexities in the password set field, but will strip $ and & on the login mask on their main website, like in the top right corner.
A failed login will automatically bring you to a dedicated login.xxx.yyy subdomain and prompt a password reset, but if you use the login mask there instead, the exact same password works.
jollyrogue
in reply to floofloof • • •Login and password set/reset forms being out of sync is a classic. 😆
I haven’t seen that one in a while luckily.
Passerby6497
in reply to floofloof • • •HappyFrog
in reply to floofloof • • •max.levch.in/post/724289457144…
Shamir Secret Sharing
max-levchin (Tumblr)Hanrahan
in reply to AbidanYre • • •StanislavP
in reply to The 8232 Project • • •like this
giantpaper likes this.
solrize
in reply to The 8232 Project • • •like this
giantpaper likes this.
The 8232 Project
in reply to solrize • • •KeePassXC is entirely local.
LastPass (ironically) explains this best: blog.lastpass.com/posts/2022/0…
Why You Shouldn't Store Passwords in a Browser - The LastPass Blog
blog.lastpass.comlike this
giantpaper likes this.
solrize
in reply to The 8232 Project • • •like this
giantpaper likes this.
The 8232 Project
in reply to solrize • • •I guess the reasons I would make would be not all accounts are web-based, and using a browser for anything other than browsing is a bad idea. Browsers aren't exactly focused on keeping passwords safe, so why not use a tool designed for it? Don't keep all your eggs in one basket
P.S. Yes, FIDO2 is much more supported
like this
giantpaper likes this.
solrize
in reply to The 8232 Project • • •The 8232 Project
in reply to solrize • • •solrize
in reply to The 8232 Project • • •MentalEdge
in reply to solrize • • •Theoretically, it's possible to store a encrypted database on someone else's system in a way where they never have the ability to see its contents, as you encryption and decryption only ever happens in the client on your devices.
Whether this is actually done in a way that enforces that on various password managers is unknowable with proprietary code.
Personally I self-host vaultwarden. All the benefits of syncing my passwords across devices, but the server enabling that, runs on my hardware.
solrize
in reply to MentalEdge • • •MentalEdge
in reply to solrize • • •I'd not heard of the "mud puddle test" but I immediately thought that any provider that does that, is doing it wrong.
Unless there's an exploit of which I'm unaware, my self-hosted solutions pass the mud puddle test.
solrize
in reply to MentalEdge • • •MentalEdge
in reply to solrize • • •I agree with all of that, I was just pointing out that "uploading all your passwords to someone else's server" can be done in a way that isn't silly. You're preaching to the choir.
Though even then, the best way is for that server to be yours, not someone else's. And it does come with advantages in terms of convenience.
solrize
in reply to MentalEdge • • •MentalEdge
in reply to solrize • • •I don't understand.
You only use each passwords once? You never log in to things on a new device without the one on which you created the account on hand? You only ever need authentication on two devices?
I own half a dozen devices on which I might want to log into places, and on several occasions it has been extremely useful to be able to access my password database from a completely new device from anywhere in the world, with nothing but the memorized master credentials.
I don't think you can argue that the advantages don't exist, even if they aren't useful to you personally.
solrize
in reply to MentalEdge • • •For web browsing I use either my laptop or my phone, two devices. I could imagine having more but for now there are just those two.
kevincox
in reply to MentalEdge • • •cyph3rPunk
in reply to The 8232 Project • • •KeepassXC ++ Yubikey ++ STRONG password changed every 7 days.
::: spoiler Tap for spoiler
This solution is compatible with virtually all platforms & browsers
:::
conciselyverbose
in reply to cyph3rPunk • • •like this
giantpaper likes this.
yo_scottie_oh
in reply to conciselyverbose • • •conciselyverbose
in reply to yo_scottie_oh • • •Leaked how? No good practice allows any way for a password to "leak".
What rotating passwords does is ensure people who don't use a password manager either write their password down more and more frequently, or use a weaker password with some simple changing pattern that doesn't add anything.
yo_scottie_oh
in reply to conciselyverbose • • •Suppose a social media website has a data breach.
Okay, but suppose I use a password manager like Keepass, then does rotating my passwords not make me any safer in the event a social media website’s data is breached and ends up being sold off on the dark web?
The 8232 Project
Unknown parent • • •like this
giantpaper likes this.
Assian_Candor [comrade/them]
Unknown parent • • •like this
bacon_saber likes this.
Sudo Sodium
in reply to The 8232 Project • • •But the bad aspects of cloud services worry me a little about this: the possibility of a security breach of the service, or the possibility of not being able to access it for any reason is a real disaster if it happens... so I'm thinking of exporting my passwords to another safe place for such cases.
like this
giantpaper likes this.
The 8232 Project
in reply to Sudo Sodium • • •KeePassXC is entirely local.
Sudo Sodium
in reply to The 8232 Project • • •like this
giantpaper likes this.
The 8232 Project
in reply to Sudo Sodium • • •like this
giantpaper likes this.
eatham 🇦🇺
in reply to Sudo Sodium • • •kuneho
in reply to Sudo Sodium • • •like this
giantpaper e SaltySalamander like this.
The 8232 Project
in reply to kuneho • • •14th_cylon
in reply to The 8232 Project • • •The 8232 Project
in reply to 14th_cylon • • •14th_cylon
in reply to The 8232 Project • • •Alk
in reply to The 8232 Project • • •ikilledtheradiostar [comrade/them, love/loves]
in reply to Sudo Sodium • • •chrand
in reply to Sudo Sodium • • •I'm also using ProtonPass, and I agree it's a game changer. I love the interface, the Android app is amazing and well integrated.
To not be locked in into ProtonPass in case of real disaster, once a month I export the ProtonPass data and import to KeepassXC in my local machine. It's pretty easy, you just have to export to CSV, and import into KeepassXC, the interface will help you to map the CSV fields accordingly, and you will have a local accessible backup in case of disaster. Don't forget to remove the CSV from your computer after importing to KeepassXC.
pathief
in reply to Sudo Sodium • • •You can export all your passwords to an encrypted and password protected file. I ocasionally back it up to a USB device so that I always have an offline copy available.
Still, one of these days I was logged out of my proton pass on Android and couldn't connect to the internet. I was locked down.
zephorah
in reply to The 8232 Project • • •I’m not in IT but I followed the Michael Bazzell podcast until he disappeared. Guy was a bit paranoid but there was great info there. My understanding was browser saving passwords isn’t secure, that those passwords are open to scraping from bad players. Ofc I can’t reference this because the entire body of over 300 podcasts disappeared with him.
Agree on Bitwarden and such.
Thordros [he/him, comrade/them]
in reply to The 8232 Project • • •like this
giantpaper likes this.
cobysev
in reply to The 8232 Project • • •I was in the US Air Force for 20 years, working as an IT guy, and our computers were so locked down, you couldn't use password managers at work. Nor were you allowed to bring them in.
Almost every office I worked in was secured; no removable electronic devices allowed. No cell phones, no flash drives or removable drives. Heck, CDs were a controlled item. You had to check with a security manager for approval before bringing in a music CD, and and data CDs required a log of their use and physical control by a trusted agent.
Plus, the computers themselves had a custom-configured OS and you couldn't install any software on them that wasn't on a pre-approved list. Half the time, normal users needed to talk to an admin like me to install something, and I might not even have the rights at my level to do it.
I didn't get to mess around with password managers until I retired a couple years ago, and they've been a game changer! In the military, we needed unique complex passwords for everything, can't reuse passwords, can't write down passwords, and you had to change them every 60 days.
Having a password manager makes my personal accounts so much more secure. I can have super complex passwords for everything and not need to remember them. I currently have Proton Pass (been de-Googling my life and switching all my stuff over to Proton lately) and it's been wonderful.
I don't know why the military doesn't get some sort of password manager approved for use. This is far more secure than what they've been doing in the past. I had 3 standard password templates, then made minor changes to them for every unique account. If they got too complex, I'd forget them (and again, we weren't allowed to write them down). Now I can just auto-generate a 25+ character complex password and I don't even need to remember it. I love it!
like this
giantpaper likes this.
JustEnoughDucks
in reply to cobysev • • •The DoD actually did a study I thought "recently" on password security and found that changing passwords every X days lead to more insecure passwords since people would create shorter, easily changeable passwords that follow a very easy to crack pattern.
Don't think they changed their policy though.
pingveno
in reply to JustEnoughDucks • • •rowdy
in reply to pingveno • • •pathief
in reply to cobysev • • •Blizzard
in reply to The 8232 Project • • •like this
giantpaper likes this.
Monstrosity
in reply to Blizzard • • •That's what I've resorted to, but I only use Firefox because it has a master password.
Chrome has no master password so what stops any fool from stealing your passwords while you're taking a piss, I don't know.
Password managers always cause me headaches, though, and never want to integrate correctly. More trouble than their worth in my estimation.
like this
giantpaper likes this.
sgtlion [any]
in reply to Monstrosity • • •kevincox
in reply to Blizzard • • •Honestly nothing. I recommend this to everyone because it is the easiest way to set up and offers huge advantages.
I think these are the two biggest benefits and every browser password manager will accomplish both.
like this
giantpaper likes this.
_____
in reply to kevincox • • •Abracadaniel [he/him]
in reply to The 8232 Project • • •like this
giantpaper likes this.
kevincox
in reply to Abracadaniel [he/him] • • •like this
giantpaper likes this.
Lumun
in reply to Abracadaniel [he/him] • • •I do this too. I would need them if I lost my phone, so bitwarden/keepass is a good place for them to be.
I think it is less secure though since someone who somehow has the unencrypted vault without your 2FA device could get in with the codes - but if someone cracks my master password I'm screwed in a whole bunch of ways so I'm not sure it matters too much at that point.
giantpaper likes this.
lemmyknow
in reply to The 8232 Project • • •Say, what are the chances either
or
like this
giantpaper likes this.
helpImTrappedOnline
in reply to lemmyknow • • •Keepass is file based, it is up to you to backup the file, for most users putting it an auto-synced cloud drive folder is their best bet. It's automatic, multi-platform and offsite. Many technical users use sync thing (or equivalent) to manage the file across multiple backup locations.
KeePassXC is essentially a GUI for KeePass datbase, like word and openoffice can both open a .doc file, multiple programs can open a keepass file. If KeePassXC dies, theres others options for opening the file.
That being said, IOS options suck, theres one called Strongbox that is, in my opinion, the best. Its not FOSS like the others. Free version works 100% no problems, but they ask a high $20/yr sub or $90 lifetime for a handful of nonessential features (I'd love an decent alternative if anyone has one).
For Android I like KeepassDX and Keepass2Android.
Realistically, if you're the specific target of a hacker going specificaly after your database files you're best off freezing your credit and bank accounts.
If your database gets hacked, there are a few ways you can midigate the damge, its up to an individual to balance convince and security.
First is 2fa. Keepass works great for TOTP 2fa, with browser integrations, its a breeze signing into sites. If you want more security, you would have a seperate database file with a different master password for 2fa. Now a hacker needs to crack 2 databases.
Another way to midigate the risk is to seperate whatever emails you use from the main bunch, this way if the main databse gets compromised, you won't lose the emails that let you reset everything else. If the email gets cracked, they won't have a convient list of accounts to go mess with.
Also make sure the emails have all the security and recovery options available setup.
3, bonus round
Finally for fincial security, don't have your credit card saved on every site. I don't let most of them store it all and use privacy.com for pretty much every thing these days. Set transaction limits on regularly used sites, and set up a "1-time use" card for anythibg irregular.
Even if some brakes into, for example my amazon account, they are going to find a $100 purchase won't work. I'll get an email and can just cancel the privacy card for amazon (I'd probably kill them all to be safe) and then work on resecuring everything.
To top it off Privacy.com it self has a dedicated credit card attached with a strict limit to midigate damge.
like this
giantpaper likes this.
Preflight_Tomato
in reply to helpImTrappedOnline • • •For privacy.com:
- great for anyone in the USA
- don’t worry about difficult subscription cancellations again, just turn that one’s dedicated card off
- I have personally blown past the daily spend limit of 250$ without issue, idk if that limit is real. The 1000$/mo may be though I've never hit that.
- I’ve used privacy.com for everything from Amazon to car insurance to gym memberships.
On credit freezes:
- a freeze means that your consumer report will not be shared, which means applications for credit in your name will be denied
- all USA consumer reporting agencies (data brokers) are legally required to freeze sharing of your reports for free upon your request
- you can temporarily unfreeze when you get a new credit card, apply for rental property, etc.
- don’t let them upsell it or try to direct you to another page with similar language, it is free
- credit monitoring products need to request your report to see if any new accounts have opened. Don’t monitor it, prevent it by freezing the reports
- freezes are required for any data broker, not just credit. This includes LexisNexis (job history), and presumably the ones that do rental and vehicle ownership history though i don’t know their names.
helpImTrappedOnline
in reply to Preflight_Tomato • • •I was talking about the individual card limits that can be set, those definatly work.
Edit, looking my account, I too have 250daily and 1000 monthy limit. The next paragraph might be be outdated?
~~I know the total daily limit is "adaptive" or something set based on your spending habits. I'd prefer setting the limit myself, but it is what it is.~~
Preflight_Tomato
in reply to helpImTrappedOnline • • •kevincox
in reply to lemmyknow • • •These are real issues however they are pretty easy to mitigate, and I would say that the upsides of a password manager far outweigh the downsides.
like this
giantpaper likes this.
lemmyknow
in reply to kevincox • • •Well, what if they somehow manage to get into my password manager account? I mean, it has a login, like any other account. The way to prevent it would be to have a strong enough password. Regardless, if they somehow got my main password, they'd have free access to all my credentials everywhere, and would be able to log into them as easily as I can. I mean, it is easier to secure one account well vs. however many others that the password manager can take care of. But still, a centralised hub with easy access to all my accounts feels like a one-stop shop for taking over my online life
I mean, to myself, I can deal with the consequences of my choices (as much as they can suck sometimes). But recommending stuff to other people I find complicated. I mean, I've gotten locked out of accounts due to 2fa (some being old and lost to time, others due to an unlucky series of events and a last minute half-assed backup) and even had to troubleshoot and/or reinstall (Linux) operating systems on my laptop (one instance of which relates to the aforementioned 2fa incident). To recommend something to someone and risk something like that, and be responsible for it… I mean, I once had to help troubleshoot a non-booting Linux machine via messages and photos during lunch out, and I myself am not an expert, so I had to online research from my phone and relay the information
kevincox
in reply to lemmyknow • • •These are all good points. This is why it is important to match your recommendations to the person. For example if I know they have Chrome and a Google account I might just recommend using that. Yes, it isn't end-to-end encrypted and Google isn't great for privacy but at least they are already managing logins over all of their devices.
In many cases perfect is the enemy of better. I would rather them use any password manager and unique passwords (even "a text file on their desktop") than them sticking to one password anywhere because other solutions are too complicated.
mystic-macaroni
in reply to lemmyknow • • •gueybana [any]
in reply to The 8232 Project • • •giantpaper likes this.
cdf12345
in reply to gueybana [any] • • •jollyrogue
in reply to gueybana [any] • • •orca
in reply to The 8232 Project • • •like this
giantpaper likes this.
mystic-macaroni
in reply to The 8232 Project • • •My sell on password managers is quality of life. You never have to reset your passwords and you can use a hotkey to enter it faster than typing. Gone are the days of fat fingers.
But I get where people have an issue. It's one point of failure vs. many, but they don't realize It's easier to well secure the one than it is to not spread the same vulnerability everywhere.
like this
giantpaper likes this.
icedcoffee
in reply to mystic-macaroni • • •JamesConeZone [they/them]
in reply to The 8232 Project • • •like this
themadcodger, SaltySalamander e giantpaper like this.
Unmapped
in reply to JamesConeZone [they/them] • • •I self-host a lot of stuff. But password manager just feels risky to me. Like what if I mess up and lose all my data or something.
With bitwarden being encrypted and all I just didn't see any down side to using their server. Plus more convenient since I don't have to VPN to use it. Or open a port.
All of that just to ask. Am I missing something? Should I be self-hosting it? I wondered about using both so I'd have a backup ether way. Or in case their servers go down for awhile. But that's super rare.
JamesConeZone [they/them]
in reply to Unmapped • • •The 8232 Project
Unknown parent • • •like this
giantpaper likes this.
DUMBASS
Unknown parent • • •ColeSloth
in reply to The 8232 Project • • •jsomae
in reply to The 8232 Project • • •The 8232 Project
in reply to jsomae • • •KeePassXC: User Guide
keepassxc.org31337
in reply to jsomae • • •untorquer
in reply to jsomae • • •Syncthing has worked well for me between 3 devices(Linux, android, windows). I've had one conflict in 6mo and it was easy to identify the right copy to select in keepass' prompt since the more recent one was a larger file.
Synchthing also provides optional version control which makes backing up easy.
Sir_Kevin
in reply to jsomae • • •yeehaw
in reply to jsomae • • •lseif
in reply to jsomae • • •a Kendrick fan
in reply to lseif • • •i used to do this, until I started using syncthing
i only add password entries on my laptop then sync the file directly to my phone using syncthing to avoid conflict
Dyskolos
in reply to jsomae • • •Yet there's the online-component which is inherently vulnerable. Depends on how paranoid you are.
renzev
in reply to Dyskolos • • •Dyskolos
in reply to renzev • • •mrmojo
in reply to vovo • • •Tywèle [she|her]
Unknown parent • • •sgtlion [any]
in reply to The 8232 Project • • •Unless you really really need portability between devices, paying for an online password manager is idiotic in my view, you're generally just waiting for someone to hack it (which happens all the time).
I use firefox's local, inbuilt manager and that's everything I need.
andscape
in reply to sgtlion [any] • • •Wild ass comment.
Who doesn't??? What do you do, copy 20-char randomly generated passwords manually all the time? That's the whole point of password managers...
Browsers are NOT a secure storage for sensitive data, if you want a local password manager at least please use KeePassXC.
like this
giantpaper likes this.
sgtlion [any]
in reply to andscape • • •far_university190
in reply to The 8232 Project • • •lseif
in reply to far_university190 • • •backups backups backups.
keep a copy on your computer, your phone, and every spare drive u have in the house. ask a friend to store the file at their place.
also, whats wrong with a cloud provider, if the file is encrypted ?
like this
giantpaper likes this.
Dyskolos
in reply to lseif • • •Depends on your level of paranoia and planning for the future 😁
Redex
in reply to Dyskolos • • •Dyskolos
in reply to Redex • • •Also, whatever you COULD do in the future, a version of your passes where you didn't do it, already was in the cloud. It's not like you delete a thing there and it's totally gone forever.
qqq
in reply to Dyskolos • • •cryptography that is secure against quantum computers
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Dyskolos
in reply to qqq • • •far_university190
in reply to Dyskolos • • •only some asymmetric ecryption (rsa already known) vulnerable to quantum and still need much more qbit to work good.
symmetric encryption (aes) not known to be vulnerable, but maybe in future
far_university190
in reply to lseif • • •deluxeparrot
in reply to far_university190 • • •LessPass
www.lesspass.compingveno
in reply to deluxeparrot • • •deluxeparrot
in reply to pingveno • • •That's true. But they do give you easy, portable, site specific passwords. No apps or database syncing required.
If you just want to log in to Lemmy on a work computer at lunch it seems a good option to me.
far_university190
in reply to pingveno • • •Obviously, it does not store password, only create them.
Then they not password manager, they secret manager. With maybe random key generator.
The Cuuuuube
in reply to far_university190 • • •absGeekNZ
in reply to far_university190 • • •Syncthing!
I use KeepassXC and sync my DB to my phone/laptop/desktop and backup to my server.
far_university190
in reply to absGeekNZ • • •absGeekNZ
in reply to far_university190 • • •far_university190
in reply to absGeekNZ • • •BenchpressMuyDebil
in reply to The 8232 Project • • •unrushed233
in reply to BenchpressMuyDebil • • •Ashen
in reply to The 8232 Project • • •Quick question - what are your opinions on using Firefox's inbuilt password manager? I've installed Bitwarden as an extension, but I find Firefox to be more convenient.
I mostly use FF on Linux, Windows, and Android and have no issues with using FF cross platforms.
like this
giantpaper likes this.
tetris11
in reply to Ashen • • •Xeroxchasechase
in reply to tetris11 • • •iturnedintoanewt
in reply to Ashen • • •johannesvanderwhales
in reply to iturnedintoanewt • • •marcie (she/her)
in reply to johannesvanderwhales • • •Dyskolos
in reply to Ashen • • •Don't. It's not in your hand is the simple reason.
My advice is keepassxc. Got a ff-addon that does basically the same. But you have your password-file under your control.
And do backups!
okamiueru
in reply to Dyskolos • • •Dyskolos
in reply to okamiueru • • •And you can never have security AND comfort. Security is absolutely always uncomfortable.
idefix
in reply to Ashen • • •Rubanski
in reply to The 8232 Project • • •morgin
in reply to Rubanski • • •Apple is releasing a more comprehensive password manager in the next few months, if she’s heavily in the apple ecosystem the switch could be pretty convenient
Obviously bitwarden or keepass would be great but this would be a bump up from being stored in a browser
Rubanski
in reply to morgin • • •Puttaneska
in reply to Rubanski • • •My understanding is that your GF will be using Apple’s KeyChain, which is pretty good except that it’s hard to look inside and manually edit. It’s not just in Safari.
The upcoming Password app is just a nice user interface to KeyChain. So no change to the functionality as such, but I think it’ll make a big difference to how it’s used.
unrushed233
in reply to Puttaneska • • •It's actually pretty easy when you're on a Mac. They bundle an app called Keychain Access, which lets you look at and edit everything.
Puttaneska
in reply to unrushed233 • • •unrushed233
in reply to Rubanski • • •zeh_ahoi
in reply to The 8232 Project • • •Bitwarden Heist - How to Break Into Password Vaults Without Using Passwords
RedTeam Pentesting - Blogrowdy
in reply to zeh_ahoi • • •Dyskolos
in reply to zeh_ahoi • • •With keepasscx YOU have the password-file. Period. You know what's been done with it: Nothing, as it doesn't phone home except update-checks. Which you can also disable.
With the browser-addon you'll get the same result but with control.
The Cuuuuube
in reply to zeh_ahoi • • •zeh_ahoi
in reply to The Cuuuuube • • •show me an example of the firefox password manager being "cracked". i mean i still sync them into my local nextcloud. @Dyskolos@lemmy.zip suggests it is cool to have your passwords in a file?!
doubt there is a scenario where using MORE services makes anything safer. Well maybe for Windows Users....but thats a dying species with the win11 crap.
so no. third party corpos....the worst.
The Cuuuuube
in reply to zeh_ahoi • • •Sure yeah. I think corpos suck, too. That's why I don't prefer 1password. But Firefox puts their passwords into a file, too (two actually). Key3.db and Logins.json, both with known locations, and encrypted using AES-256-GCM which is... Decent but I prefer to go a little more hardened. The thing with keepass is the following:
But I want to make it abundantly clear. @Dyskolos@lemmy.zip has not recommended storing your passwords in a file. They have suggested storing your passwords in a mechanism that can be as secure as your hardware is capable of securing and keeping the location of that up to your own decision making.
But also. Promise me this. If you're going to keep using Firefox as your password manager:
Dyskolos
in reply to zeh_ahoi • • •a Kendrick fan
in reply to The 8232 Project • • •renzev
in reply to a Kendrick fan • • •Pass: The Standard Unix Password Manager
www.passwordstore.orgNauticalNoodle
in reply to renzev • • •Wild Bill
in reply to The 8232 Project • • •unrushed233
in reply to Wild Bill • • •gwen
in reply to The 8232 Project • • •pathief
in reply to gwen • • •gwen
in reply to pathief • • •ililiililiililiilili
in reply to gwen • • •𝚝𝚛𝚔
in reply to The 8232 Project • • •On the plus side, the more people who don't use password managers the more chance us password manager users will remain not worth the effort.
It's kinda like security through obscurity mixed with only having to be faster than the slowest person to outrun a lion.
EuroNutellaMan
in reply to 𝚝𝚛𝚔 • • •I disagree. Password managers are still target of threat actors, a juicy one at that, but it's not too often you hear of breaches of good password managers. Chances are the people behind the good password managers are better at security than 99% of users (including more technical ones). Even after a breach exporting all the passwords and moving them to another service, and changing all your passwords again with more secure ones is trivially easy.
If everyone used them sure there'd be more pressure on said password managers but hackers will find it a lot more difficult to hack anything in general and it will still not be worthwhile to hack average users who use a password manager.
Zicoxy3
in reply to The 8232 Project • • •I have been using password gestoires for a long time. First LastPass, until I switched to GNU/linux and discovered Keepass and then KeepassXC.... For me they are indispensable.
That's the one I used until about 1 year ago when I started having problems with the Firefox addon. It did not recognize the pages.
I tried ProtonPass and I like it, but I don't like having them online, no matter how secure the site is.
I've tried going back to KeepassXC, locally, but the file I export from ProtonPass won't load in KeepassXC. I feel stuck.
Translated with DeepL.com (free version)
zkrzsz [he/him]
in reply to Zicoxy3 • • •Zicoxy3
in reply to zkrzsz [he/him] • • •ReversalHatchery
in reply to Zicoxy3 • • •Open a bug report in KeepassXC's repository, maybe it's a big in their code. Or they'll tell you that the bug is in proton pass, and you can report it there too so that they know about it and can fix it. Maybe the KeepassXC team can give you a workaround too
Zicoxy3
in reply to ReversalHatchery • • •My English is very poor for technical explications.... I search the issue in KeepassXC Github but I don't found similar solution.
ReversalHatchery
in reply to Zicoxy3 • • •Proton Pass is a pretty new service, maybe there haven't been much users yet who have moved to KeepassXC from it. I would say give it a try, it's not that bad.
Something else you could try is:
a) check the Bitwarden repo if anyone had a similar problem as you. If so, it's more likely that it's a Proton Pass problem, and maybe they have some tips.
b) import your Proton Pass export to another password manager (Bitwarden, original Keepasd), export it from there, and try to import this in KeepassXC. Though this might have a higher chance of losing some information, in the sense of metadata. If you go this way, don't forget to make a fresh export of your Proton Pass account, in case you have changed something there in the meantime
pathief
in reply to The 8232 Project • • •I've been using Proton Pass and it has been a game changer for me. Hot take: I think Proton Pass is Proton's best service.
It creates not only a unique password for each service but also a unique email address alias. If a website leaks my email address and I get spam, I know exactly who did it and I only need to swap 1 login credential.
Has a built-in 2FA and passkeys. Works great in the browser with proper auto complete, even for the 2FA code. Works fine on Android and password in both browser and applications get autocomplete.
Proton Pass can be used by everyone, regardless of their technical level, in every device. My mom could easily use this across all her devices. I'm told Keepass is fantastic but having it sync across all her devices would be challenging for her.
Most Proton services feel kinda underbaked but Proton Pass is excellent.
InputZero
in reply to pathief • • •pathief
in reply to InputZero • • •I have worked in retail to help pay for university. It was a miserable job. Dealing with people made me a worse person.
I am very "passionate" about Proton Pass but don't take me for a Proton chill, I have a lot of criticism about their other products.
Chais
in reply to pathief • • •I'm using KeePassXC and have no intention of switching, plus I'm paying for an account anyway, I just feel that 2FA is such an essential feature for a password manager that it shouldn't be locked behind a paywall.
pathief
in reply to Chais • • •alkaliv2
in reply to pathief • • •Pyr
in reply to The 8232 Project • • •No1
in reply to Pyr • • •2FA really stands for
2 FUCKING ANNOYING !!!
Crikeste
in reply to No1 • • •JubilantJaguar
in reply to Crikeste • • •Crikeste
in reply to JubilantJaguar • • •JubilantJaguar
in reply to Crikeste • • •If the password is unique, there's no risk!
Incidentally: not re-using passwords should be the only responsibility of the user. It's impossible to brute-force a password through a login form, you need full access to the disk. So when sites complain about poor password strength, effectively they are saying "We don't trust ourselves to keep our server safe". Pretty insulting to blame the user for that.
Crikeste
in reply to JubilantJaguar • • •Hmm. Maybe I’m misunderstanding something fundamental about cyber security, but wouldn’t a server leak give you login credentials regardless of the uniqueness or amount of use a password has? And 2FA would still protect against that?
I might have thrown my hat into a ring I have no place in lmao
EuroNutellaMan
in reply to Crikeste • • •Unless the website is handled by complete morons it stores credentials in an hashed format. Usually to crack this we'd use rainbow tables or wordlists of known passwords, and essentially we use every word to generate the hash until it matches.
If your password is strong and hasn't been compromised (check regularly on haveibeenpwned) it will likely not be in any wordlists and it also won't be easy to crack. Now, password managers can generate the best passwords because they're completely random and very long by default so to crack them you'd have to try every possible character combination, this takes time, and specifically a time so long that statistically the andromeda galaxy and milky way will merge into one before the password is cracked (at least until quantum computers become a thing, then it's mere minutes).
2FA helps because even if they crack the password they then need the 2FA code, which you can't really guess or brute force and is seen on a third party app you don't control (unless you use sms, they can spoof SIMs ro view the sms you receive and therefore degeat 2FA). It also doubles as something that alerts you that someone is trying to access your account.
JubilantJaguar
in reply to EuroNutellaMan • • •Yes this clarifies things. In summary, without 2FA:
So it's a trade-off. If everyone was in the first category, then the obvious inconvenience of 2FA would just not be worth the benefit.
EuroNutellaMan
in reply to JubilantJaguar • • •Absolutely not. You should always use 2FA. Most decent password managers even make it easy for you.
While cracking a strong password is nigh impossible rn they are still vulnerable to data breaches and pass-the-hash attacks.
JubilantJaguar
in reply to EuroNutellaMan • • •EuroNutellaMan
in reply to JubilantJaguar • • •2FA should always be enabled. Doesn't mean you always have to log out of a website. It's a massive important security feature: it saves your ass if your passwords are leaked/cracked/bypassed and it warns you that someone is trying to access your account. Apps like ProtonPass literally make it extremely trivial to fill it in, just push the button that pops up and it will autofill the 6 digit code (or copy it to your clipboard in the worst case), it's not SMS 2FA, so you're frankly stupid for not using it if you have that option.
You didn't address shit, strong passwords will still be vulnerable to certain attacks even if everyone used them. This isn't a privacy matter either it's a security one and regardless of what your threat model is 2FA should always be part of your security, there's a reason more and more websites and apps are pushing it, cause if you don't force idiots to adopt it they won't even if it's extremely important, same reason as why we need rules to make passwords more complicated. It may be an inconvenience (very tragic for the user I know, how dare they make something that autofills and takes a few seconds of my day away from watching useful shit like brainrot and some dumb comments on my favorite social media platform) but it's an extremely important and necessary measure.
No1
in reply to Crikeste • • •I've got a random username if the stupid website/app allows it. Most don't. It has to be your email address.
And a minimum random 20 char password for each website/app. Again if the stupid website/app allows it.
Secure your (I don't mean you personally) fucking website/app and credentials storage and stop making your weaknesses my problem.
Most places, and all of my stupid financial websites/apps, only have phone/SMS as the second factor. And yet there are plenty of horror stories about people 'losing' their phone numbers.
Oh wait. There is one financial site that has developed its own authenticator app. I really expect that to go about as well as storing passwords in cleartext.
Then there's all the shit websites/apps that I don't give a fuck about that now insist on having 2FA set up. They're not interested in the security, it's just to get your email and phone number to onsell your data to whoever.
It's fucking security theater.
Crikeste
in reply to No1 • • •“Then there's all the shit websites/apps that I don't give a fuck about that now insist on having 2FA set up. They're not interested in the security, it's just to get your email and phone number to onsell your data to whoever.”
Of everything you wrote, this one had my eyes wide. Hadn’t even crossed my mind that could be a problem. 🤦🏽♂️
NauticalNoodle
in reply to Crikeste • • •Crikeste
in reply to NauticalNoodle • • •Good point. I guess it’s never really bothered me. It’s one of those things I’ve just come to expect nowadays.
I stand by it being cash money though. lmao
EuroNutellaMan
in reply to NauticalNoodle • • •I mean, using password managers is both more convenient and more secure than 99% of things most user do to handle passwords so idk.
And some like Proton Pass also double as 2FA apps and make that trivially easy too by autofilling everything with a click
KevonLooney
in reply to Pyr • • •NateNate60
in reply to Pyr • • •Password is necessary for two-factor authentication. The factors of authentication are something you know (like a password), something you have (like a cell phone), and something you are (like a biometric).
An example of three-factor authentication would be this—imagine a spy going into a secret bunker. They need to scan their iris, insert a key card, and then enter a passcode before the door opens. This has all three factors of authentication; the passcode is something they know, the key card is something they have, the iris scan is something they are.
If it just sends a code to your phone, that's one-factor authentication (something you have). Anyone with your phone can get into your account. Unless, of course, your phone hides its notifications and you have a screen lock. Then that's actually two-factor authentication because you also need to know the phone PIN or have the biometric.
If it just asks for a password, that's one-factor authentication (something you know).
If it asks for your password and then sends a code to your phone, which you need a fingerprint or face scan to unlock, you have achieved three-factor authentication.
Edit: Interesting tidbit—in the USA, you can rent a mailbox at the post office to receive mail when you don't want to give out your real address. Useful for privacy reasons. I'm sure they have similar things in other countries. These mailboxes come with a key. This is actually two-factor authentication, because the keys usually don't have the mailbox number written on them! So you have to have the key and also have to know which mailbox among the hundreds at the post office it opens.
shuzuko
in reply to NateNate60 • • •qqq
Unknown parent • • •Replying to this pretentious comment for the sake of others reading this:
Run
history | grep genpasswdfor why this is not a good password storage solution. One must image skill issue.If you think the CLI is the cool kid way to go, use passwordstore.org/, but tbh I don't recommend that either.
Pass: The Standard Unix Password Manager
www.passwordstore.orgfeoh
in reply to The 8232 Project • • •I blame the tinfoil hat infosec crowd for not understanding that the world they inhabit is not the same one Regular Users live in.
Is there risk in keeping all your passwords in one place, whether it's on your hardware or someone else's? hell yes! Is that risk stastically speaking ANYTHING LIKE the risk you take when you use 'pencil' for all your passwords because you can't be arsed to memorize anything more complex? OH HELL YES.
Sure, if you're defending against nation state level agressors, maybe using a password manager isn' the wisest choice, but for easily 99% of computer users, we're at the level of "keeping people from drooling on their shoes". So password managers are probably a GREAT idea.
ReversalHatchery
in reply to feoh • • •That is, when they can manage to use it.
Appoxo
in reply to feoh • • •It just so happens that a manager is also god damn convenient for the private individual
feoh
in reply to Appoxo • • •ashok36
in reply to The 8232 Project • • •NastyNative
in reply to ashok36 • • •Nighth4wk
in reply to NastyNative • • •Korthrun
in reply to The 8232 Project • • •So many folks talking about which software they use, and how they sync it between devices etc.
You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you're using to perform your login and it will work on any modern device even without internet access.
Oh and no subscription fee to cover the costs of cloud infrastructure.
ZeDoTelhado
in reply to Korthrun • • •Korthrun
in reply to ZeDoTelhado • • •ZeDoTelhado
in reply to Korthrun • • •trolololol
in reply to Korthrun • • •Korthrun
in reply to trolololol • • •That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.
The password db is stored encrypted on the device. Accessing the passwords requires all of:
Three PIN failures and the smart card is invalidated.
That sort of covers "stolen" and "lost + recovered by a baddie". Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.
As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.
In the super "just in case" move, I also keep a keepassdb on said thumb drive. In case my device fails and it's just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.
Appoxo
in reply to Korthrun • • •I would believe a salted and hashed 0-knowledge password vault is more secure than a US-company which could be forced to surrender private keys used for the encryption
Korthrun
in reply to Appoxo • • •How would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I've received my package.
Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you'd know your device and card are stolen. Now you're in a race to reset your passwords before they finish making 500 clones of the smart card they stole.
Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.
Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯\_(ツ)_/¯
Appoxo
in reply to Korthrun • • •You lost an arm. Remember to use the
\to escape the markdown ;)I don't know much of smart cards and the whole hardware based authentication beyond knowing they exist at all so please take my questions for what they are.
I was thinking the encryption on those cards are done with a private key and a writer/reader by the manufacturer (like HID). So if the NSA busts down the door and demands the key you could technically decrypt it.
So if you generate your own private key that vector is obviously mitigated, assuming they are providing the tool with a non-reversible hashing process or a guide on how to generate the key so it wouldn't aid in the brure forces decryption.
Thank you for the info 😀
Korthrun
in reply to Appoxo • • •I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it 😛 (fixed now!)
I've been using this device for ~5 years now, so my memory is a little hazy on it, but I'm pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn't generated until you setup your first card.
Rolivers
in reply to trolololol • • •mechap
in reply to The 8232 Project • • •Having my passwords written down on a piece of paper is not safe ?
ReversalHatchery
in reply to mechap • • •KeenFlame
in reply to ReversalHatchery • • •ReversalHatchery
in reply to KeenFlame • • •Security and safety are not synonymous, they have a different meaning.
Security is that your password is stored in a way that it cannot be accessed by those you don't want. Safety means that you won't lose access to it and that it remains usable.
The distimction may be clearer with an other example.
A factory is secure if only the employees can enter, and it is safe if it does not want to fall apart and the machines in it don't kill the employees.
Maybe it can be generalized so that security is for the access, safety is for the mistakes and the disasters.
EuroNutellaMan
in reply to mechap • • •No. Anyone near you or with access to your place can see it. And most people know of the tricks.
Also you can't encrypt it and most of all you can't really generate as strong passwords as those generated by password managers, meaning I don't even need the paper to try and crack your password
Eunie
in reply to EuroNutellaMan • • •My friend, you will be surprised that encryption is something that not only the magical internet machine can do.
EuroNutellaMan
in reply to Eunie • • •It's still nowhere near as secure and convenient as using an appropriate tool. You will either have one that is easy to decipher and remember or one that is hard to decipher and remember. And you have to do it every time but at that point you might aswell just remember one password/passphrase and use it for your password manager, defeating the whole point.
Also bare in mind convenience is important in security, if a measure is very inconvenient you will eventually just bypass it on your own cause you can't be arsed.
mechap
in reply to EuroNutellaMan • • •unrushed233
in reply to The 8232 Project • • •Using 2FA on all accounts that offer it is just as important. And make sure to use a good, open-source TOTP client like Aegis on Android or Tofu on iOS.
Definitely make sure to backup your seeds in an encrypted format (e.g. Veracrypt container or GPG-encrypted files). If you lose your seeds, you lose access to your accounts.
I like to use the automatic backup feature in Aegis, which syncs my encrypted vault to my Nextcloud server. You can also enable compatibility with Android's backup API and use that if your ROM includes a backup solution like Seedvault.
GitHub - seedvault-app/seedvault: A backup application for the Android Open Source Project.
GitHubtrolololol
in reply to unrushed233 • • •NateNate60
in reply to trolololol • • •TOTP is standardised by RFC 6238 so all TOTP clients must comply with the standard and therefore work equally well. Pick the one whose UI you like the most and is otherwise good enough for your use case and personal preferences. It's similar to arguments over CPU thermal paste—its presence or absence makes a much larger difference than the method of application.
You do, however, want to pick something that is free and open-source and also popular. Google Authenticator (closed source) definitely is a functional TOTP client but you have to trust that the Google engineers have done a good job building a secure app. Since it's Google, they probably have, but a principle in security is that you should not have to trust more people than absolutely necessary.
unrushed233
in reply to trolololol • • •Appoxo
in reply to trolololol • • •trolololol
in reply to Appoxo • • •LordCrom
in reply to unrushed233 • • •capital
in reply to LordCrom • • •It might not be any more private but I give out my Google voice number to people/businesses I don’t really want to hear from or suspect my data will be sold by.
What’s really frustrating is that some services detect GV (and other VOIP providers) and just say you can’t use it.
LordCrom
in reply to capital • • •capital
in reply to LordCrom • • •Forgot to add this bit in my first reply:
This is especially bad since I’m more confident that GV is less susceptible to a SIM swap type of attack since I can disable it on my account which is of course protected by real 2FA (not SMS).
Meanwhile T-Mobile has shown a few times that they’re vulnerable to SIM swap attacks.
Appoxo
in reply to unrushed233 • • •And if the company doesnt supply one, use your own at your own discretion /shrug
unrushed233
in reply to Appoxo • • •Jivebunny
in reply to The 8232 Project • • •Interstellar_1
in reply to The 8232 Project • • •renzev
in reply to Interstellar_1 • • •Interstellar_1
in reply to renzev • • •NateNate60
in reply to renzev • • •horse
in reply to renzev • • •superkret
in reply to Interstellar_1 • • •You can't hack a paper note over the internet.
thirteene
in reply to superkret • • •NateNate60
in reply to thirteene • • •Appoxo
in reply to thirteene • • •One of the only possibilities is them and their infrastructure getting ransomed
thirteene
in reply to Appoxo • • •Honestly this is the part that scares me the most. Well maybe it's the fact we have multiple plausible scenarios... What happens when you get locked out of bitwarden? I imagine the 256 randomized salted hash passwords will be hard to call, some companies will likely be able to restore your password via phone support. During that time, informed attackers will potentially have the master keys to your entire life. Fighting ai chatbots trying to recall security questions. During that time your phone and Internet service could be shut off, secondary emails changed and validated, money transferred out of bank accounts, stocks and crypto sold. Crowdstrike was a valuable security company.
Appoxo
in reply to thirteene • • •The FAQ answers the question of getting locked out: bitwarden.com/help/forgot-mast…
TLDR: You are fucked if you lost the recovery codes.
Best case: You do encrypted backups every once in a while
I Forgot my Master Password | Bitwarden Help Center
Bitwardendesertdruid
in reply to Interstellar_1 • • •SocialMediaRefugee
in reply to Interstellar_1 • • •JubilantJaguar
Unknown parent • • •Not gonna happen.
renzev
Unknown parent • • •EuroNutellaMan
in reply to JubilantJaguar • • •Ovata
in reply to The 8232 Project • • •Been using Bitwarden for a couple years now…
No regrets
idefix
in reply to The 8232 Project • • •So yes, use a password manager and the one provided by Firefox is perfect for almost everyone.
Appoxo
in reply to idefix • • •The only reason should be that it needs to decrypt the vault upon login which (depending on the iterators of the encryption and the processing speed of the system) can take a second more. Until then it's equal to a native integration.
Upside: You are not locked to a browser anymore as (at least Bitwarden) is agnostic.
idefix
in reply to Appoxo • • •On android, there's a 4 second lag to get the fingerprint reader ready, 0 with Firefox.
I'm not going to switch from Firefox anytime soon but it's super easy to export passwords and the Firefox password manager works for any apps on Android.
Appoxo
in reply to idefix • • •If the vault is still within unlock period the auto-fill takes even less time (assuming the authentication URL regex is correct. It's a bit annoying with subdomains)
Lifter
in reply to idefix • • •idefix
in reply to Lifter • • •No need to go to the computer.
Lifter
in reply to idefix • • •idefix
in reply to Lifter • • •idefix
Unknown parent • • •Although my bank does use a complicated password system that cannot be used by password managers.
NateNate60
Unknown parent • • •idefix
Unknown parent • • •KeenFlame
in reply to NateNate60 • • •Mio
in reply to The 8232 Project • • •I have the need to have different accounts to everything. Hate to perform the sign up process over and over again. They really need to standardize this.
Passkeys is one step forward but far from enough.
I hate the idea of having to login again and again with just a minute interval that I see BankID requires as it is for different things. Like I constantly have to prove it is still me here. BankID is the app in my country that gives you access to your Bank account, government stuff and so on. It connects to your personal number and ID you in real life.
So the issues you describe is just the result of how bad designed the web is today. It is simple for every company but hard for the user.
SLVRDRGN
in reply to Mio • • •Lifter
in reply to SLVRDRGN • • •Sweden
They don't require it, you can also go to a physical office if you don't have BankID. Also BankID is a private company wo is problematic on several levels.
Many government agencies have started accepting multiple ways to identify yourself such as Freja.
Some politicians would prefer a standardized governmental solution to identity.dagensps.se/bors-finans/kinber…
I'm not so sure about that though.
It's an ongoing topic. We'll see more where it goes.
Mio
in reply to SLVRDRGN • • •The banks built BankID and charge companies that use it(not consumers).
Freja - en mobil e-legitimation i form av en app – helt gratis
FrejaElectricMachman
Unknown parent • • •mkhopper
in reply to The 8232 Project • • •I used to use a plain text system, "encoded" in such a way that only I knew what the actual password was, and I kept it on Google Keep.
But that for harder and harder to manage, coupled with, if I were to get run over by a bus, no one else would be able to access my accounts.
Now I've been using Dashlane for a few years. Not just for passwords, but secure notes as well.
Works seamlessly on all of my devices and zero complaints.
SLVRDRGN
in reply to mkhopper • • •nialv7
in reply to renzev • • •inbeesee
Unknown parent • • •monobot
in reply to The 8232 Project • • •It is truly upsetting to see how complicated for use password managers are.
I grow up around computers and I can barely mange them. Other people just don't understand how to use them, it is complicated and inconvenient. Even after I set them up and show them multiple times, friends don't manage.
In browser password managers cover 90%, but I guess web sites and apps need to start testing UX for password managers. Some of them introduce stupid flows that brake all of them.
Android is complete shit show.
It is not users, but applications and UX that doesn't care about security.
ray
in reply to monobot • • •MerchantsOfMisery
in reply to monobot • • •frezik
in reply to MerchantsOfMisery • • •Sorta. I find it doesn't always pop up Bitwarden to select an autofill. Then I unlock it manually, and sometimes it then gives me the button for autofill. Sometimes not and I have to manually copy and paste.
And sometimes there's a broken ass app that blocks you pasting passwords. People need to be fired for this.
Same thing happened to me on Last Pass, so I'm pretty sure it's an Android issue.
ji17br
in reply to monobot • • •Caveman
in reply to The 8232 Project • • •I use a password pattern. I have hundreds of different passwords all stored in my head and all between 10-20 characters long. The trick is to have a deterministic formula for picking a password.
Example: short word + First 6 in url + symbol + short word capitalised + number
Let's say the first word is cat and second is dog, symbol is - and number is 5 and you have a Gmail it would give you
"catgmail-Dog5"
passwordmonster.com/ gives it 61 years to crack this one but if you use longer words you get better times.
Password Strength Meter
PasswordMonsterhatter
in reply to Caveman • • •Caveman
in reply to hatter • • •kettle
in reply to Caveman • • •Caveman
in reply to kettle • • •That's assuming that a human will ever see it. People cracking passwords either have all of them and then use an automated tool or hack a person specifically by decrypinc a password hash which will take an immense amount of time and electricity.
Still since that's a concern I can modify the formula. By splitting gmail into g and mail and sticking g at the front.
gcatmail-Dog5
frezik
in reply to Caveman • • •Not how it works.
First of all, there's far too many companies out there still storing passwords in plaintext.
Second of all, even with a good hash algorithm, hacking a specific person's password out of a leaked database is still feasible when your passwords are variants of a couple of dictionary words with a few numbers and symbols attached.
Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site's part will likely protect it.
FlihpFlorp
in reply to nialv7 • • •spookedintownsville
in reply to The 8232 Project • • •tootnbuns
in reply to spookedintownsville • • •Mio
in reply to NateNate60 • • •nullroot
in reply to The 8232 Project • • •Possibly linux
in reply to nullroot • • •purplemonkeymad
in reply to The 8232 Project • • •tootnbuns
in reply to purplemonkeymad • • •1) Its not like people are gonna steal book
2) the password crackin people are not the breakin people
LemmyRefugee
in reply to The 8232 Project • • •SocialMediaRefugee
in reply to The 8232 Project • • •sheogorath
in reply to SocialMediaRefugee • • •Maniac
in reply to sheogorath • • •sheogorath
in reply to Maniac • • •Kaiserschmarrn
in reply to SocialMediaRefugee • • •alfenstein
in reply to Kaiserschmarrn • • •Kit
Unknown parent • • •AbidanYre
Unknown parent • • •renzev
in reply to FlihpFlorp • • •Echo5
in reply to The 8232 Project • • •